Data Processing Agreement

Pursuant to Art. 28 (3) p. 1 GDPR

– hereinafter referred to as the DPA

between

Name/Co.: ____________________________
Street: ____________________________
Zip Code, City, Country: ____________________________
Commercial Register No.: ____________________________
Managing Director: ____________________________

– hereinafter referred to as Controller

and

Name/Co.: uphill GmbH
Street: Oranienstr. 188
Zip Code, City, Country: 10999 Berlin, Deutschland
Commercial Register No.: Amtsgericht Berlin, HRB 123671 B
Managing Director: Stephan Eyl, Nicolas Graf von Kanitz

– hereinafter referred to as Processor

– The Processor and the Controller are hereinafter referred to as (contractual) Parties. –

Annexes

  • Annex 1 – Technical and Organisational Measures (TOMs).
  • Annex 2 – Subprocessors.

The Subject-Matter of the Contract, Categories of Data, Data Subjects, Nature, Scope and Purpose of the Processing (Art. 28 (3), 30 (2) GDPR)

  1. The subject of the DPA, the personal data processed within the scope of the assignment (Art, 4 Nos. 1 and 2 GDPR; hereinafter referred to as "Data"), the data subjects concerned and the nature, scope and purposes of the processing, are determined by the following legal relationship(s) between the contractual Parties (hereinafter referred to as the "Principal Agreement"):

    Agreement on the use of Fanpage Karma and the websites, tools, functions and services associated with the services of Fanpage Karma.

    The provisions of this DPA take precedence over the Principal Agreement.

  2. The Principal Agreement includes the following basic features and special features and services provided by Fanpage Karma:

Name of the function/service:

Fanpage Karma Tool

Basic information on the processing of personal data

Purpose of the contract/services provided in the course of the contract/scope, type and purpose of data processing:

  • The processing of the following data is necessary to establish and implement the contractual relationship with regard to the use of the Fanpage Karma Tool and the services and functions associated with it in accordance with the Principal Agreement.
  • The Fanpage Karma Tool provides various functionalities (e.g. Analytics, Monitoring, Engagement, etc.). The processing of personal data within these functionalities is described separately and applies in addition to the general information in the case of the use of these functionalities by the customer.
  • The information accessible via the Fanpage Karma Tool can be made available (within the framework of the specification according to the Principal Agreement) via an Application-Programming-Interface (API).

Types of data which are regularly the subject of processing:

  • Inventory data/master data (first name, surname, gender, country code).
  • Contact data (e-mail address).
  • Data concerning the online accounts linked in the context of the use of the Fanpage Karma Tool: profile ID, authorization key (access token), list of profiles for which the Controller has special access rights (e.g. Facebook, Twitter, Instagram, LinkedIn etc.), creation date, login times, language, time zone, preferred currency, account ID, newsletter, wallpaper, own profile picture; when logging in via a mobile app: Firebase Cloud Messaging Token; email signature (for use in Engage).
  • Data regarding the use of the tool (time and functions used).
  • Meta / communication data (device IDs, IP addresses, location data).
  • In order to perform analyses for profiles, it may be necessary for the Controller to log in to the profiles and for access to the Processor's app (e.g. Twitter or LinkedIn). In these cases, the account name, account ID, access token, token secret and their expiration date are stored.

Additional types of data that are regularly processed in the case of paid accounts:

  • Inventory data/master data (company name, contact person, street, postal code, city, country).
  • Contact data (e-mail, telephone).
  • Contract and payment data (payment method, account holder, IBAN, BIC, bank (if payment by electronic direct debiting), customer reference number, ID at the payment service provider for debiting via credit card data stored there, tax identification number, list of all associated users).
  • Authorizations within the Fanpage Karma Tools to employees, the contractor stores their names, e-mail addresses and Facebook IDs.

Note: If the client has a paid subscription, an account will be created for the client, to which other users can then also be invited. In the case of invitations to an account, the contractor stores the first and last name as well as the e-mail address of the invited person.

Are special categories of data being processed?

No special categories of data are processed.

Types of processing

  • Inventory data, contact data and data concerning the online accounts and authorizations as well as usage data and meta/communication data concerning the tool are collected directly from the Controller; furthermore, data concerning online accounts and stored by the providers of the respective social media platforms are collected from them (e.g. account ID, access token, profile pictures, etc.).
  • The data will be stored by the Processor and used for the purpose of fulfilling the contract and deleted by the Processor after the end of the business relationship.

The categories of data subjects affected by the processing include:

The client and his employees as well as other users invited to the usage of the tool.

Name of the function/service:

Fanpage Karma Tool – Fanpage Karma Analytics

Purpose of the contract/services provided in the course of the contract/scope, type and purpose of data processing:

  • With the help of Fanpage Karma Analytics, the client can analyze key figures and content and compare profiles for his own and third-party social media profiles (e.g. on Facebook, Twitter, Instagram, YouTube, Pinterest, LinkedIn etc.).
  • To view protected key figures (e.g. reach, clicks, demographic data), the client must grant rights to the respective network. The Contractor shall only disclose this restricted data to authorised persons.
  • The data all come via the public interfaces of the social media platforms and are not enriched by the client.

Types of data which are regularly the subject of processing:

  • Data concerning the online accounts linked in the course of using the Fanpage Karma Tool (Facebook User ID, Facebook Access Token, list of Facebook pages for which the client has insights, Twitter Access Token, Instagram Access Token, LinkedIn Access Token, list of LinkedIn profiles for which the client has access).
  • In order to perform analyses for profiles, it may be necessary for the client to log in to these and grant access to the app of the contractor (e.g. Twitter or LinkedIn). In these cases, the account name, account ID, access token, token secret and their expiration date are stored.

Are special categories of data being processed?

No special categories of data are processed.

Types of processing

  • The data is collected from the providers of the respective social media platforms.
  • The data will be stored by the Processor and used for the purpose of fulfilling the contract and deleted by the Processorafter the end of the business relationship (taking into account the restriction according to section 8.4 of this DPA).

The categories of data subjects affected by the processing include:

Users of the social media profiles.

Name of the function/service:

Fanpage Karma Tool – Fanpage Karma Monitoring

Purpose of the contract/services provided in the course of the contract/scope, type and purpose of data processing:

  • With the assistance of Fanpage Karma Monitoring, the client can monitor keywords in public postings on social media services that are accessible for the search.
  • The contractor will query the keywords defined by the client via the public interfaces of the platforms. No special authorizations are required for this.

Types of data which are regularly the subject of processing:

Public data that is searched for after entering a keyword and made available for viewing via a link.

Are special categories of data being processed?

No special categories of data are processed.

Types of processing

  • The data is collected from the providers of the respective social media platforms.
  • The data will be stored by the Processor and used for the purpose of fulfilling the contract and deleted by the Processor after the end of the business relationship (taking into account the restriction according to section 8.4 of this DPA).

The categories of data subjects affected by the processing include:

Users of the social media profiles.

Name of the function/service:

Fanpage Karma Tool – Fanpage Karma Engage

Purpose of the contract/services provided in the course of the contract/scope, type and purpose of data processing:

  • Fanpage Karma Engage is a community management tool for answering inquiries, contributions and comments (hereinafter "messages") on social media platforms (e.g. Facebook, Twitter, Instagram) and those received by e-mail.
  • Clients grant the contractor permission so that the Karma Engage fan page can publish the answers on their behalf on the various platforms.
  • The messages can be publicly visible (e.g. Facebook Post comments or Twitter Replies) or non-public (e.g. Facebook/Twitter direct message, e-mail).

Types of data which are regularly the subject of processing:

  • Inventory data/master data (names, account names, user IDs, links to these).
  • Content data (texts, links, images, videos, documents and files published or sent by users).
  • Usage data (time of request).
  • Location data (information on places where the contributions were written).

Are special categories of data being processed?

No special categories of data are processed.

Types of processing

  • The data concerning the messages of the users are collected on the one hand from the providers of the respective social media platforms; the data concerning the responses of the Controller are collected from the Controller.
  • The data will be stored by the Processor and used for the purpose of fulfilling the contract, the answers will be transmitted to the respective social media platforms and deleted by the Processor after the end of the business relationship.

The categories of data subjects affected by the processing include:

Authors of the messages within the social media profiles.

Name of the function/service:

Fanpage Karma Tool – Fanpage Karma Publish

Purpose of the contract/services provided in the course of the contract/scope, type and purpose of data processing:

  • Fanpage Karma Publish is a tool for the editorial management and automatic publication of posts on social media platforms.
  • Users can create postings with text, links, images, documents, time of publication, restriction to user groups etc. and release them for publication through a simple release process.
  • For networks on which an automatic publication is possible (and the user has released the corresponding authorization) Fanpage Karma Engage can automatically publish the postings at the set time. In other cases, users will be asked by e-mail to publish their data.
  • Already used media (e.g. pictures, videos) can be viewed via a media library and used for further contributions.

Types of data which are regularly the subject of processing:

  • Inventory data/master data (names, account names of authors).
  • Content data (texts, links, images, videos, documents and files that are published).
  • Usage data (time of planning and publication, profile(s) to be published, restriction to user groups (targeting)).

Are special categories of data being processed?

No special categories of data are processed.

Types of processing

  • The data is collected from the Controller within the framework of the information provided by the Controller.
  • The data will be stored by the Processor and used for the purpose of fulfilling the contract, the answers will be transmitted to the respective social media platforms and deleted by the Processor after the end of the business relationship.

The categories of data subjects affected by the processing include:

Authors of the published contents

Name of the function/service:

Fanpage Karma Good Luck Fairy

Purpose of the contract/services provided in the course of the contract/scope, type and purpose of data processing:

  • Automatic evaluation of Facebook promotions, sweepstakes, etc. The information on a competition posting is imported into the Fanpage Karma Tool via the Facebook API and then evaluated according to the specified criteria. As a result, profiles of Facebook users who could have won a promotion according to various possible criteria are displayed to the client (the name, the profile picture and a link to the profile are displayed). In addition, the client can download a file showing the names and Facebook IDs of all participants as well as a file containing all user comments.

Types of data which are regularly the subject of processing:

  • User IDs, names and links to profile pictures of all users who made a comment publicly on the Facebook page to be evaluated or reacted with a reaction to the promotion (e.g. Like, Haha), as well as the time of the action and, if necessary, the text of the comment.

Are special categories of data being processed?

No special categories of data are processed.

Types of processing

  • The data is collected from providers of the respective social media platforms.
  • The data will be temporarily stored by the Processor only for the moment of the query and generation of a winner and will be deleted afterwards.

The categories of data subjects affected by the processing include:

Users of social media profiles / participants in promotions.

2. Controller and right of Instruction

  1. As the person responsible pursuant to Art. 4 No. 7 GDPR, the Controller is responsible for compliance with data protection regulations, in particular the selection of the Processor, the Data transmitted to him and the instructions issued (Art. 28 (3) a, 29 and 32 (4) GDPR).
  2. Where the Customer is itself a Processor and subcontracts the Processing to the Processor, the provisions of this DPA shall apply mutatis mutandis and the Controller of the Processing may, on the basis of this DPA, directly invoke the rights of the Customer towards the Processor.
  3. The Processor may process Data only within the framework of the Principal Agreement and the instructions of the Controller (including in particular the modification, erasure or restriction of the Data) and only to the extent that the processing is necessary for the agreed purpose, unless the Processor is required to process Data for another purpose by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Art. 28 (3) p. 2 a GDPR).
  4. The Controller has the right to issue additional instructions at any time with regard to the processing of the Data and the security measures.
  5. If the Processor is of the opinion that an instruction by the Controller violates applicable data protection law, he will immediately point this out to the Controller. If the Processor is of the opinion that an instruction of the Controller violates applicable data protection law, then the Processor is entitled to suspend the execution of the instruction until the Controller confirms the instruction or to reject the instruction in the case of an obviously illegal instruction.
  6. The Processor may refuse instructions if they are not possible or unreasonable for the Processor (in particular because compliance with them would impose disproportionate effort or due to a lack of technical possibilities of the Processor). The rejection is only admissible under appropriate consideration of the protection of the Data of the data subjects concerned and entitles the Controller to a termination without notice for a compelling reason of the Principal Agreement, if its continuation is unreasonable for the Controller.
  7. If additional instructions of the Controller go beyond the contractual duty of the Processor under the Principal Agreement and are not based on misconduct on the part of the Processor, then the Controller shall reimburse the Processor separately for the additional time and effort arising therefrom.
  8. The contracting Parties may appoint persons entitled to issue and receive instructions (in particular, if the responsible persons do not already follow from the Principal Agreement) and are obliged to notify the contractual Parties of any changes without delay.
  9. Responsible on the part of the Processor:
    Nicolas Graf von Kanitz
    Tel: +49 30 55656912, Fax: +49 30 577095069, E-Mail: .

3. Security of Processing and Related Obligations

  1. The Processor shall structure the internal organisation in his area of responsibility in accordance with the legal requirements and shall in particular take technical and organisational measures for appropriate security, in particular the confidentiality, integrity and availability of the Controller's Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and ensuring their safeguarding (Art. 28 (3) and 32 - 39 in conjunction with Art 5 GDPR). Technical and organisational measures include in particular physical access control, access to processing systems, control of access to Data and input of Data, Data transfer control, control of orders and assignments, availability and integrity control, guarantee of the principle of purpose/ segregation of data and securing the rights of the affected data subjects.
  2. The technical and organisational measures on which this DPA is based are set out in Annex 1 "Technical and Organisational Measures (TOMs)". They may be further improved in the light of technical progress and replaced by adequate protective measures, provided that they do not fall below the safety level of the measures laid down and provided that the Controller is notified of any significant changes.
  3. The Processor shall keep a record of all categories of processing activities carried out on behalf of the Customer according to Article 30 (2) GDPR.
  4. The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality (Art. 28 (3) S. 2 b. and 29, 32 (4) GDPR) and have been instructed in the data protection regulations of the GDPR or are subject to an appropriate statutory obligation of confidentiality.
  5. The Data and data carriers and all copies made of them within the scope of the DPA shall remain the property of the Controller, shall be carefully stored by the Processor, protected from access by unauthorized third parties and may only be deleted with the consent of the Controller, and then only in accordance with data protection law. Copies of Data may only be made if they are necessary to fulfil the main and secondary contractual obligations of the Processor towards the Controller (e.g. backups).
  6. If specified by the GDPR or supplementary regulations, in particular national regulations, the Processor shall appoint a data protection officer in accordance with legal requirements and inform the Controller accordingly (Art. 37 to 39 GDPR).
  7. Data protection officer of the Processor:
    Dr. Thomas Schwenke, Paul-Lincke-Ufer 42/43, 10999 Berlin
    E-Mail:

4. Information Duties and Duties to Cooperate

  1. The rights of the data subjects are to be fulfilled by the Controller, whereby the Processor supports the Controller according to Art. 28 (3) S. 2 e. GDPR and informs him in particular about the enquiries of the data subjects received by the Processor.
  2. The Controller must inform the Processor immediately and completely if he detects errors or irregularities with regard to the processing of the Data or with regard to compliance with the provisions of this DPA or relevant data protection regulations.
  3. In the event that the Processor ascertains facts which justify the assumption that the protection of the Data processed for the Controller has been breached, the Processor must immediately and completely inform the Controller, take the necessary protective measures without delay and assist in the fulfilment of the obligations incumbent on the Controller pursuant to Articles 33 and 34 GDPR.
  4. Should the security of the Controller's Data be endangered by third-party actions (e.g. creditors, authorities, courts with seizure, confiscation, insolvency proceedings, etc.) the Processor will immediately inform the third parties that the sovereignty and ownership of the Data lies exclusively with the Controller and, after consultation with the Controller, will, if necessary, take appropriate protective measures (e.g. file objections, applications, etc.).
  5. The Processor shall inform the Controller without delay if a supervisory authority takes action against the Processor and its activities may affect the Data processed for the Controller. The Processor supports the Controller in the performance of his duties (in particular the provision of information and toleration of inspections) towards supervisory authorities (Art. 31 GDPR).
  6. The Processor shall provide the Controller with the information necessary for the fulfilment of legal obligations (which may include, in particular, inquiries from data subjects or authorities and compliance with his accountability duties pursuant to Art. 5 (2) GDPR, as well as the carrying out of a data protection impact assessment pursuant to Art. 35 GDPR) and shall provide the necessary information regarding the processing of Data within the scope of this DPA, if the Controller cannot acquire this information himself. The information must be accessible to the Processor and does not have to be obtained from third parties, whereby employees, agents and subprocessors of the Controller are not considered as third parties.

5. Audits and Inspections

  1. The Controller has the right to audit the Processor's compliance with the legal requirements and the regulations of this DPA, in particular the technical and organisational measures, at any time to the required extent (Art. 28 (3) h. GDPR).
  2. On-site inspections are carried out within normal business hours, must be announced by the Controller within a reasonable period (at least 14 days, except in emergencies) and have to be supported by the Processor (e.g. by the provision of the necessary personnel).
  3. The inspections are limited to the necessary scope and must take into account the Processor's trade and business secrets as well as the protection of personal data of third parties (e.g. other Controllers or employees of the Processor). Only qualified inspectors are permitted to carry out the inspection who must be able to prove their identity with regard to their person and the mandate by submitting official proofs of identity and, if no such proof exists, proof of the assignment, and who are bound to confidentiality with regard to the trade and business secrets as well as processes of the Processor and personal data of third parties.
  4. Instead of audits and on-site inspections, the Processor may refer the Controller to an equivalent inspection or audit by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct (Art. 40 GDPR) or suitable data protection or IT security certifications in accordance with Art. 42 GDPR. This applies in particular if business and trade secrets of the Processor or personal data or other confidential information of third parties would be at risk due to the audits or inspections.
  5. The Processor shall ensure that the Controller can ascertain compliance with the obligations of the Processor in accordance with Art. 28 GDPR. The Controller shall provide the Controller with the necessary information upon request and, in particular, prove that the technical and organisational measures have been implemented. The proof of such measures, which do not concern only the specific assignment, can be provided by:
    • compliance with approved codes of conduct pursuant to Art. 40 GDPR;
    • certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR;
    • current certificates, reports or report extracts from independent bodies (e.g. auditors, auditors, data protection officers, IT security department, data protection auditors, quality auditors);
    • a suitable certification through an IT security or data protection audit (e.g. according to the guidelines and standards of the German Federal Office for Information Security).

6. Engagement of Subprocessors

  1. If the Processor uses the services of a subprocessor in order to carry out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA or other legal act between the Controller and the Processor shall be imposed on the subprocessor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this DPA and the applicable data protection law (in particular with regard to compliance with instructions off the Controller, compliance with technical and organisational measures, provision of information and the toleration of inspections). In particular, the processor shall ensure that the Controller's designated control rights can also be exercised directly and to the same extent by the Controller at the Processor's sub-processors. Furthermore, the Processor must carefully select the subprocessor, check its reliability and monitor its compliance with the requirements of this DPA and the data protection law (Art. 28 2 to 4 GDPR).
  2. Without prejudice to any restrictions by the Principal Agreement, the Controller generally agrees that the Processor may engage subprocessors for the processing of the Data.
  3. The subprocessing relationships already in existence at the time of the conclusion of this DPA are listed by the Processor in Annex 2 "Subprocessors" and are considered authorized by the Processor.
  4. The Processor shall inform the Controller of any changes to the subprocessors that are relevant to the processing of the Data within a reasonable advance period, which as a rule shall be 14 days, via the contact channel provided by the Controller (generally via e-mail). In the event of an objection, the Processor may, at its own discretion, provide the service without the intended change or propose an alternative further subprocessor and coordinate this with the Controller. Insofar as the provision of the service without the intended change is not reasonable for the Controller - for example due to associated disproportionate expenses for the Processor - or the coordination of a further subprocessor fails, the Controller and the Processor may terminate this Agreement as well as the Principal Agreement with a notice period of one month to the end of the month. The termination shall be deemed to have taken place at the next possible ordinary time of termination with regard to the payment of the agreed fees if the objection was made without a legitimate interest.
  5. Contractual relationships in which the Processor uses the services of third parties as a purely ancillary service in order to carry out his business activities (e.g. cleaning, security or transport services) do not constitute subprocessing within the meaning of the above provisions of this DPA. Nevertheless, the Processor must ensure, e.g. through contractual agreements or information and instructions, that the security of the Data is not endangered and that the requirements of this DPA and the data protection laws are complied with.

7. Processing in Third Countries

  1. The processing of Data as contractually specified is carried out only in a Member State of the European Union or in another state party to the Agreement on the European Economic Area (EEA).
  2. Processing in a third country, including by subprocessors, shall require the prior consent of the Controller and may only be carried out if the specific requirements of Article 44 et seq. of the GDPR are met, taking into account the most recent case law of the highest courts (in particular the judgment of the European Court of Justice of 16 July 2020 in Case C-311/18, "Schrems II"), unless the Processor is obliged to carry out processing in the third country by the law of the Union or the Member States to which the Processor is subject, in which case the Processor shall notify the Controller of these legal requirements before processing, unless the law prohibits such an information on important grounds of public interest (Article 28 (3) S. 2 a. GDPR).
  3. The authorisation of the Controller for processing in the third country shall be considered to have been given in respect of the processes listed in Annex 2 "Subprocessors".

8. Duration of the Processing, Termination of Contract and Deletion of Data

  1. This DPA becomes valid upon its conclusion, is concluded for an indefinite period and ends at the latest with the term of the main agreement.
  2. The right to termination without notice for a compelling reason is available to the contracting Parties, in particular in the event of a serious breach of the provisions of this DPA and applicable data protection law. The extraordinary termination must in general be preceded by a warning of the infringements with a reasonable period of notice, whereby the warning is not necessary if it is unlikely that the objected infringements will be remedied or if they are so severe that it is unreasonable to expect the terminating contracting party to adhere to this DPA.
  3. After completion of the processing services under this DPA, the Processor will either delete or return all personal data and copies thereof (as well as all documents obtained in connection with the contractual relationship, processing and processing results obtained and datasets), at the choice of the Controller, unless an obligation to store the personal data exists under Union law or the law of the Member States (Art. 28 (3) S. 2 g. GDPR). The right of retention is excluded with regard to the processed Data and the associated data carriers. With regard to the cancellation or return of the Data, the Controller's rights of information, documentation and inspection shall apply in accordance with this DPA.
  4. In accordance with the main contract, the Processor shall be entitled to collect data which it has collected from generally accessible sources and which the Processor would have obtained even without authorisation/instruction from the Controller (e.g. data transmitted via an interface from Facebook which is accessible to everyone since this data is used by other customers of the Processor ) or not to delete data which is anonymised and thus not personalised (e.g. aggregated data). The Controller profiles are suspended after deactivation, subject to an explicit deletion request, and are only used for reactivation. In the case of test users, only the name and Facebook ID will be stored for multiple sign-in recognition, and the email address will be deleted.
  5. In any case, the obligations arising from this DPA with regard to the Data processed in the assignment shall remain in force even after termination of the DPA.

9. Expense Allowance

  1. Services provided by the Processor on the basis of this DPA, in particular the provision of the necessary information and the cooperation, deletion or return of the data as well as acceptance of and cooperation in the inspections or adequate alternative measures shall not be remunerated separately by the Controller. The services shall only be invoiced if they are not required by law or if they exceed an amount customary in the industry due to circumstances attributable to the Controller.
  2. If a calculation of ancillary contractual services should be made, it shall include compensation for the working time of the personnel claimed by the Processor as well as necessary expenses (e.g. travel or material costs). The Processor shall inform the Controller of the amount of the remuneration in advance by means of an appropriate estimate, unless this is not possible or reasonable (e.g. in the case of any obligation to take immediate action in emergencies). The above-mentioned costs shall be charged at an hourly rate of EUR 120.00 net. The Processor retains the right to prove higher expenses and the Controller retains the right to prove lower expenses.

10. Liability

  1. The liability of the Parties with regard to the processing shall be governed by the statutory provisions, in particular Article 82 GDPR.

11. Final Provisions, Amendments, Form of Communication, Choice of Law, Place of Jurisdiction

  1. Amendments, additional agreements and addenda to this DPA and its annexes require a written agreement and an express note that this is an amendment or addition to this DPA. This also applies to the waiver of this formal requirement.
  2. This DPA shall only oblige the Processor in so far as this is necessary to fulfil the statutory obligations, in particular in accordance with Art. 28 ff. GDPR and does not impose any further duties on the Processor.
  3. Unless otherwise stipulated in this DPA and in the main agreement, communication between the Processor and the Controller within the framework of this DPA (in particular with regard to instructions and provision of information) shall at least be in text form (e.g. e-mail). A lesser form (e.g. oral) may be permissible under the circumstances instead of the text form (e.g. in an emergency situation) but must be confirmed immediately at least in text form. If the written form is required, the written form is understood in the meaning of the GDPR.
  4. The law of the Federal Republic of Germany shall apply. The exclusive place of jurisdiction for all disputes arising from or in connection with this DPA shall be the Processor's registered office, provided that the Controller is a merchant, a legal entity under public law or a public law fund or the Controller has no place of jurisdiction in the Federal Republic of Germany. The Processor reserves the right to bring his claims to the legal place of jurisdiction.

................................................................................................................

Place, date, signature of Controller

Berlin, Mar 19, 2024

................................................................................................................

Place, date, signature of Processor


Data Processing Agreement

Annex 1 – Technical and Organisational Measures (TOMs)

The current list of technical and organisational measures is published at: https://www.fanpagekarma.com/privacy/toms.


Data Processing Agreement

Annex 2 – “Subprocessors”

The current list of subprocessing relationships is published at: https://www.fanpagekarma.com/privacy/subprocessors.

As of: April 2020

Download Agreement